Migrating to Astaro Security Linux

Fed up with expensive, complicated firewalls, e-gaming company opts for open-source security solution.

Micah Lloyd, a senior systems administrator for eBet Ltd., knew that
he needed to upgrade the security for eBet's distributed network. The
company had been using Check Point 4.0 as a perimeter firewall solution
for its five offices. The problem was, though, that upgrading to the
latest version of Check Point would be a costly and time-consuming
proposition. Not only would eBet need to pay for and manually install
new software, but the underlying hardware also would need to be updated,
further adding to the overall cost and complexity of the upgrade.

Headquartered in Australia and with operations and contractual
arrangements in New Zealand, Singapore, Greece, the Philippines and
the USA, eBet is a public company listed on the Australian and New
Zealand Stock Exchanges (ASX/NZSE: EBT). The company is divided into a
Gaming Systems Division and an Online Division.The Gaming Systems
Division develops and markets a range of networked solutions for
gaming machines. The Online Division develops and operates turnkey
Internet-based wagering systems for licensed gaming operators in
international markets. eBet operates Internet systems for the New Zealand
TAB, Penn National Gaming and Playboy.com.

Micah Lloyd was hired by eBet to administer and upgrade the network
serving eBet's two divisions. "When I came on board, it was immediately
obvious that our security system was out of date, and it threatened to
impact our business." Lloyd initially explored simply updating to the
latest Check Point offering. He noticed several potential problems,
however, such as high cost, lack of redundancy and a complicated
upgrade process.

"To upgrade our remote firewalls, we had to rely on a central management
console in our Australia office and local staff at each of the remote
offices had to be present to manually complete the upgrades." Lloyd said
that with as much as a 17-hour time difference between offices, simply
coordinating updates was a problem. Staff at some of the offices would
be forced to show up in the middle of the night. To make matters worse,
each eBet office has a different mission: the ones that serve as gaming
portals do so for different regions, while the Carlsbad office acts
as a software development facility in addition to providing systems
management. This meant that each firewall conceivably would need a
different set of rules, which further complicated matters.

Facing a time-consuming and expensive upgrade process, Lloyd found an
ideal solution: he turned to an all-in-one security product. Lloyd set
up his own network at home where he downloaded a free 30-day trial of
Astaro Security Linux. "To meet my own firewall requirements for my
Linux- and Windows-based network, I investigated several open-source solutions. I looked at
SmoothWall, IPCop and Astaro, among others, and as I investigated
the features offered by each, I found that with Astaro I could turn an
inexpensive server into an all-purpose security appliance", he said.

Lloyd also noted a key gap in the other open-source offerings: the lack
of NAT support. "Without NAT, the other solutions may work for a single
home or small office deployment, but they're inappropriate for a large
network with a number of devices behind the firewall." Lloyd says that
he further was won over by the fact that Astaro offers
a simplified, standardized installation process, as well as providing
several security features, including a firewall, packet inspection and
antivirus protection, all in a single software product.

"After I had Astaro Security Linux up and running at home, I tried to
link up with eBet's Carlsbad office in order to remotely manage that
network", Lloyd said. It turns out that Astaro blocked this communication
because the VPN he was trying to use was a relatively weak 40-bit DES
VPN provided by the Check Point system. "In other words, Astaro protects
you from yourself." At that point, he recommended to his company that
they replace all of their existing firewalls with Astaro Security Linux.

With help from Astaro's technical support team, Lloyd was able to migrate
up from a weak 40-bit DES VPN to a robust 128-bit IPSec VPN. Astaro's
team worked with Lloyd to get the VPN up and running, allowing him to
securely administer the eBet network from home or even from his hotel
while he's on vacation.

"Working with Astaro is much different than working with one of the
large software vendors," Lloyd said. He noted that when eBet tried to
move certain software licenses from another vendor to a new office,
the company had to engage consultants from the vendor, which turned
into a long, costly process that forced eBet to take one location
off-line for an entire day. "With Astaro, I simply have a license for a
certain number of IP addresses. If my office moves or my network changes,
I simply update the IP address list. That's it."

In addition to features such as a firewall and VPN support, a software
security appliance needs to be reliable, manageable and current. If
the appliance server hardware fails, Lloyd says he can install the
Astaro software on a different server or even a Linux-based PC within
20 minutes. Because Astaro software contains its own IP address, it
functions as a self-contained entity capable of automatically making its
own updates, such as patches and new virus signatures, saving Lloyd the
hassle of manually collecting and pushing out all of these updates to
each of the five locations.

In addition to managing eBet's network and developing gaming systems,
eBet's development and administration office also does outside system
integration work for companies without their own in-house networking
expertise. "After I sold my company on Astaro, I found myself bundling it with the
systems we were designing for our customers", Lloyd said. eBet's customers
knew they needed firewalls, but most also requested something to help
them block spam and filter out unwanted Web content, both of which are
available with Astaro. "Astaro provided me with all of my security needs in one package,
at a fraction of the cost of other solutions", Lloyd continued. "And when
you add to that the fact that it is simple to install and easy to manage,
while also keeping itself up-to-date, Astaro is a compelling alternative
to the other security offerings on the market."

Victor Cruz is a consultant and writer living in Boston who has
published articles in American Venture, Boston Business Journal, Harvard Review
and Wireless Business & Technology. Write him at
vcruz1@comcast.net.

Comment viewing options

Speaking as someone that has 5 Astaro boxes, I like the firewall but the spam filter is the worst I have ever used.
I want to go back to my Barracuda spam filter. The astaro misses a LOT of spam!!!!!
That wouldn't be so bad if they gave you an easy way to blacklist domains, email addresses or IP addresses and/or subnets but they don't

ok my name is Dylan and i am haveing a big problem with the Astaro Security system, I have been trying to figure out a way to get through the security system becouse im trying to see if i could do it, but im in a little bit of trouble becouse i dont know how to get through it and i was woundering if anyone knew anything that i could do to get around the astaro system?
e-mail about the info
at118526@carthage.k12.mo.us

I'm a systems administrator at a construction company in York, PA. We added Astaro as a separate firewall. We used it to replace Computer Associates Inoculate IT anti virus software on my exchange server. It was out dated and we had to make a decision to either upgrade it or do something else. The guy at the time with the network recommended Astaro. He said he saw it somewhere so we gave it a try, I think it had a 30 free trial service or something like that. It impressed us so much we decided to buy it. So far it has worked great repelling viruses and since we haven't been "hacked" into, I can only assume this too is working.

Check Point is complicated and expensive. Astaro is low-cost and effective. End of story. One product replaced another. Period. This is not a technical review. For a full in-depth review of Astaro, refer to July's issue:http://www.linuxjournal.com/article.php?sid=6716

I agree that it is a horrible article. I found it incorrect in a number of places and in others it didn't make any sense. Since this talks about Astaro versus Check Point, I'll cite 10 quick examples where it belittles Check Point incorrectly:

--------------

1. The article stated that the upgrades of Check Point required people in all their offices, but what did they do for putting the new systems in? Surely they didn't install themselves.

2. The article stated that the cost and complexity of the upgrade was a factor. Moving from 4.0 to the latest version of Check Point, NG, it would probably be easiest to just recreate the policies on a separate management station--it's their fault for getting this far out of date (measured in years) and they'd have to recreate things for the new solution anyways. As for cost, did they contact Check Point? They're quite flexible and from looking at the pricing of the two solutions, it would have been more than competitive.

3. As for redundancy, there is built-in redundancy for site-to-site and client-to-site VPN tunnels, management, logging, and gateways in Check Point. Where's the redundancy "limitation"?

4. Stating that different rules for different firewalls is a "complication" is also deceptive. Check Point handles this very handily which is why so many enterprises are able to use it.

5. With regard to NAT support, almost everything on the face of the planet does NAT--the $80 wireless router I have here at my house does it. The other solutions he mentions also do NAT, which shows how poorly he reviewed the other solutions as well.

6. The 40-bit VPN he was using was his fault, 4.0 included support for strong encryption (3DES) using IPSec so he was probably using FWZ, didn't check the 3DES box, or he did not have a license for strong encryption. At the time 4.0 was released, IKE and AES weren't even standards, so of course it didn't support them. The Astaro device wasn't protecting him from himself, it simply didn't allow anything lower than 3DES in the GUI, which presents a serious problem with creating tunnels to devices in specific countries which are not able to use strong encryption.

7. "Automated Updates" is also misleading. It either happens from an administrator going directly to each device to do the update (time consuming) or they are automatically pulled from the internet and not controlled by the administrator. In which case, when the device pulls something down from the internet and it breaks functionality, an administrator must go to each device to fix it. This is why centralized management is important. Unfortunately, Astaro does not provide it. This is probably because there's not a free utility out there that does it.

8. Licensing is no longer the way he mentions it and hasn't been for years. Check Point has removed the necessity to tie a license to an IP address on the firewall. This is called "Centralized Licensing" and all changes can be done via the web.

9. The ability to have a system running on a linux-based PC within 20 minutes isn't extraordinary. You must still spend time configuring the box all over again including rules, IPSec information and if you didn't have a backup file, you'll have to configure the VPNs on all the devices it is encrypting to using certificates. With Check Point's SecurePlatform (also a bootable, Linux-based installation) you can have a device up and running in under 10 minutes and with centralized management, you already have the configuration stored, so you just establish a trust between the device and the management station, push a policy, and it's done.

10. None of these changes are new to Check Point. Everything I mention has been around for over a year and if he actually did his homework he would have known this. And if he did his homework, I think it is likely that the outcome of his decisions would have been different--especially with other capabilities like being able to do user-based QoS, QoS inside the VPN, see logs in a useful manner (rather than just having them spew out into a window), do proactive attack detection and blocking with what Check Point calls "SmartDefense", etc.

------

Overall, he chose something he was comfortable with for home use and adapted it for the company he was working for instead of something that actually provided the security companies require. Most of the stuff he states here are simply rationalizations. He'll find this out the next time MSBlaster or SQL Slammer comes out and the response to the attack is "use packet filter to close the port". Hope you don't need to print, share files, or have your web server use that SQL server!

I really believe that he made a poor decision and put the company at risk. He has single-handedly placed the security of the eBet company in the hands of a small 40 person startup where it was on a platform which had over 300 developers alone to ensure the security of the software and local representatives all around the world. The article didn't mention support, which he will have to go through a local reseller to get, and if he wants support from Astaro directly, he will have to use the Bulletin Board. This entire article was self-serving for him and Astaro. I'm not surprised I saw part of it on the Astaro bulletin board.

Disclaimer: I know both Astaro and Check Point well and I think both are nice solutions with their places. Astaro works adequately for small companies or single firewall installations. However, a correctly architectured solution from Check Point would have been more managable and probably not too much more expensive. The reason I put all this here is because it hurts the linux community when biased or untrue allegations are purported as "fact" because all the postitives will get written off quickly when the incorrect pieces are brought to light.

Was running a PIX firewall and had constant attempts to break in some of the better explorers actually got by the PIX. So I called up a local distributor in NYC, Systems Solutions nice group of people that are very knowledgeable and don

How can it be doing NAT _with_ VPN? For NAT the source/destination addresses are rewritten which will screw up the checksum for the Authentication Header used by the VPN -- so you get a choice of _either_ VPN _or_ NAT.

This review should have had more technical detail. The assertion that the firewalls presented by SmoothWall or IPCop don't do NAT is ridiculuous.

woop de doo, we've got a feature here! a key differentiation! Im going to upgrade NOW - NAT is a must have feature , a real killer app for Astaro Security Linux. Also the informed technical advice in this article swayed me, so knowldegable!

jokes aside - Astaro actually looks intresting, but where does he get the lack of NAT support, I cant think of anything that doesnt have nat support - every snapgear, dsl modem freesco or coyote linux firewall on a floppy has nat, doesnt windows 98 with internet connection sharing support nat??

No, the article was not good! It is clearly an advert not an article and includes lots of incorrect information. For example both SmoothWall and IPCop support NAT. Pretty much all the 'advantages' stated are actually advantages of SmoothWall. The *only* thing missing from SmoothWall that the article is singularly correct about is that it does not have AV. But a disadvantage of Astaro is they licence by IP address - with Smoothwall there is no need to even enter the IPs - it works with any number from home user to enterprise.

Yes, the other iptables/ipchains based firewalls all have NAT. Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI. But this is a "glossy", high-level overview, and very incomplete in its listing of the features of any of these softwares. As you say, it's mostly an advert for Astaro - "Our expert liked it, and used it successfully" - and not a comparison of linux firewall appliances. It doesn't seem to be trying to pretend otherwise.

"Smoothwall even has a fairly nice interface to it, slightly clumsy for large entities but large shops can SSH into the box itself and use gawk to build the configuration files instead of the GUI."

Isn't the point of having a Web-based user-interface that the end user will not have to use the command line and use utilities like gawk? For large entities, centralized management could simplify this significantly.

Agreed.... Smoothwall is a great product. However, I think Astaro is much more feature rich and provides an easier interface than Smoothwall. It is well defined and does what it is supposed to do, very well. Although...Smoothwall doesn't have the hardware requirements of Astaro so you can run it on much lesser hardware.

I would tend to think of Smoothwall being good for a small to medium corporation while Astaro fits the bill for the Enterprise.

advanced scan detection (Xmas, etc.) LOG, DROP
iptables-based with a good wed interface (mod_ssl)(httpd)
DHCP server onboard
support for Wifi segment
support for CSU/DSU cards
support for xDSL modem cards
auto-update
a very good user-based support group (on the astaro site)
every service is Chrooted from each other

We've had problems with our Astaro installation for the last 6+ months - there's a kernel bug which they acknowledge but seem to be unable to fix. The firewalls crash quite regularly, once in every couple of weeks.

The biggest joke is that we're running a HA installation which in theory should mitigate the problem but in fact the firewalls need rebooting with the power button.

The support has very poor language skills (at least their written English is terrible) and I don't consider it to be professional either.

I would not recommend Astaro to anyone. It may be good for home users but forget them in a corporate environment.